CS499/579 :: Empirical Computer Security
Fall 2024



Latest Announcements [Full List]


Textbooks

No required textbook. Reading materials will be provided on the course website and/or distributed in class.

Prerequisites

This course requires a basic understanding of computer security. You are expected to have taken at least one of the following courses:

  • CS 370 :: Intro to Security
  • CS 312 :: Defense Against the Dark Arts

Grading

Your final grade for this course will be based on the following scheme:

  • 60%: Research Project
  • 15%: Paper Discussion Lead
  • 15%: Paper Discussion Questions
  • 10%: Class Participation
  • No midterm/final exam.

Schedule

This schedule is subject to change. Please check back regularly.
Date Topic(s) Before Class Reading/Notes Assignments
Empirical Security 101
Wed 09/25 Administrivia
Slides
[Assigned] Research project
Mon 09/30 Empirical Security
Slides
- [Optional] SoK: Science, Security, and the Elusive Goal of Security as a Scientific Pursuit. (Slides|Video)
Wed 10/02 Measurement + Ethics
Slides
- [Optional] Strategies for Sound Internet Measurement.
- [Optional] ZMap: Fast Internet-wide Scanning and Its Security Applications. (Slides|Video)
- [Optional] Dos and Don'ts of Machine Learning in Computer Security. (Slides|Video)
- [Optional] Ethical Frameworks and Computer Security Trolley Problems: Foundations for Conversations. (Slides|Video)
[Deadline] Presentation signup
Due 10/02 at 9PM PDT (UTC-7)
[Deadline] Submit Project Team
Due 10/04 at 9PM PDT (UTC-7)
Mon 10/07 Security
Slides
- [Optional] Perspectives on Security.
- [Optional] Reflections on Trusting Trust.
- [Optional] Running the "Reflections on Trusting Trust" Compiler.
Internet Security
Wed 10/09 Web Tracking - Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016. (Slides|Video)
- XRay: Enhancing the Web’s Transparency with Differential Correlation. (Slides|Video)
- [Optional] The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. (Slides)
Mon 10/14 Public Keys - Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. (Slides|Video)
- The Million-Key Question — Investigating the Origins of RSA Public Keys . (Slides|Video)
Wed 10/16 TLS - The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software.
- The Security Impact of HTTPS Interception.
[Deadline] Project Proposal
Due 10/16 at 9PM PDT (UTC-7)
Sign up for a proposal meeting.
Mon 10/21 DDoS + Botnets - Inferring Internet Denial-of-Service Activity.
- Understanding the Mirai Botnet. (Slides|Video)
- [Optional] BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection.
User + Usable Security
Wed 10/23 Passwords - A Two-Decade Retrospective Analysis of a University's Vulnerability to Attacks Exploiting Reused Passwords. (Slides|Video)
- The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. (Slides)
Mon 10/28 User Authentication + Spam - Click Trajectories: End-to-End Analysis of the Spam Value Chain.
- Towards Implicit Visual Memory-Based Authentication. (Slides|Video)
- [Optional] Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks. (Slides|Video)
Wed 10/30 Social Engineering - Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale. (Slides|Video)
- Who's Calling? Characterizing Robocalls through Audio and Metadata Analysis. (Slides|Video)
Mon 11/04 Security Indicators - Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. (Slides|Video)
- Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It. (Slides|Video)
[Deadline] Sign up for a research update meeting.
Software + Systems Security
Wed 11/06 Memory attacks - The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)..
- SoK: Eternal War in Memory.
Mon 11/11 No class Veterans Day
Wed 11/13 Finding vulnerabilities - Evaluating Fuzz Testing. (Video)
- Before we knew it: An empirical study of zero-day attacks in the real world.
Mon 11/18 IoT - Security Analysis of Emerging Smart Home Applications. (Slides|Video)
- SoK: Security Evaluation of Home-Based IoT Deployments. (Slides|Video)
Wed 11/20 Cyber-Physical Systems - Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.
- Comprehensive Experimental Analyses of Automotive Attack Surfaces. (Video)
- [Optional] Security Analysis of a Full-Body Scanner. (Slides|Video)
[Deadline] (Optional) Sign up for a second research update meeting.
Mon 11/25 ML-Assisted Programming - Asleep at the Keyboard? Assessing the Security of GitHub Copilot's Code Contributions. (Video)
- Do Users Write More Insecure Code with AI Assistants?. (Slides)
Wed 11/27 No class Happy Thanksgiving eve!
Mon 12/02 Adversarial Machine Learning - Towards Evaluating the Robustness of Neural Networks. (Video)
- Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition. (Video)
- [Optional] Intriguing properties of neural networks.
Meta Analysis + Wrap up
Wed 12/04 Meta-analysis - Milk or Wine: Does Software Security Improve with Age?.
- A Decade of Mal-Activity Reporting: A Retrospective Analysis of Internet Malicious Activity Blacklists.
Finals Week
Mon 12/09 Project Presentations Time/Location TBD [Deadline] Final project report
Due 12/11 at 9PM PST (UTC-8)